[EMAIL PROTECTED] - Fri Nov 22 10:27:16 2002]:
>
> OS: Windows, but I think it is a cross-platform bug.
> Version: 0.9.6g
>
> In the following function which is called from
> PKCS7_sign, if the source text contains a line of text
> which is exactly a mutiple of MAX_SMLEN-2 characters
> long and has a CRLF line ending, then the gets call
> will return a buffer which ends with just a CR, and
> then on the next call a line that contains just an LF,
> which will result in two CRLF pairs being put into the
> output.
>
> A harmless bit of buggy coding is also present. The
> value of len is not checked in the inner while loop.
> Any line which only contains CR or LF characters will
> cause len to go to 0, and the memory location
> linebuf[-1] will be read. Its extremely unlikely that
> the value at that location is a CR or LF, so usually
> the loop terminates anyway. But, its not nice to go
> out of bounds, and I imagine memory protection faults
> could be triggered on some platforms.
>
> This only affects callers who do not pass PKCS7_BINARY
> in the flags parameter (our work-around was to
> normalize the line endings ourselves and then pass
> PKCS7_BINARY).
>
Should be fixed no in 0.9.7-stable and 0.9.8-dev. Please check the next
snapshot.
Steve.
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]